SunSetup
Info needed before starting # Hostname, Domain Name, # IP address, Subnet/Netmask # Default router IP # IP’s of DNS servers # Time Zone # SNMP (disable or new RO password) # NTP Server info # SMTP mail server FQDN Install procedure (From CLI install) # Language: *English* # Networked? *Yes * # Use DHCP? *No * # Hostname: * * # IP: * * #Part of a subnet? *Yes* #Netmask: * * #IPv6?* No * #Default Route: *specify one* #Router IP: ** #Configure Kerberos? *No* #Name Service? *DNS* #Domain Name? ** #DNS servers? * * #Search Domain? *(blank)* #NFSv4 domain configuration? *use the NFSv4 domain derived by system* #Timezone: ** #Set Time #Specify root password #Enable remote services? *Yes* #Installation? *End User* #Automatically eject CD/DVD? *Yes* # *Auto Reboot* #The system is being installed #Accept License #Select Reigon: Under* North America, choose U.S.A. (UTF-8)* #Initial Locale: *Posix C* #Aditional Products: *none* #Filesystem: *UFS* #Select Software: *Core* #Select Disks: ** #Preserve Existing data? *No* #Auto Layout Filesystem? *customize* #Create partitions (see below) #Mount remote file systems? *No* #Beginning install…. For disk layout be sure to create the following partitions: / (8GB) {slice 0} /var (8GB) {slice 1} swap (4GB disk) {slice 3} /home (~20GB) {slice 4} metadb (100MB) {slice 7} Final partitioning should look something like this: Part Tag Flag Cylinders Size Blocks 0 root wm 0 - 824 8.01GB (825/0/0) 16790400 1 unassigned wm 825 - 1649 8.01GB (825/0/0) 16790400 2 backup wu 0 - 14086 136.71GB (14087/0/0) 286698624 3 unassigned wm 1650 - 2062 4.01GB (413/0/0) 8405376 4 unassigned wm 2063 - 4123 20.00GB (2061/0/0) 41945472 5 unassigned wm 0 0 (0/0/0) 0 6 unassigned wm 0 0 (0/0/0) 0 7 unassigned wm 14076 - 14086 109.31MB (11/0/0) 223872 Additional Packages Additional Packages that probably should manually be installed: *SUNWman* – The MAN pages *SUNWfwflash* – If you ever need to update the server’s Flash *SUNWaccr* – For SAR *SUNWcdrw** & SUNWdvdrw* – For writing CD/DVD’s if able Mirroring Root Drive NOTE: Some servers (i.e. Txxxx) are mirrored by RAID hardware For the example here, it is assumed the drive you installed Solaris on is *c1t0d0* and the second drive is *c1t0d1*, and that it is sliced up as described above_. #Copy of primary disk format: prtvtoc /dev/rdsk/c1t0d0s2 > /var/tmp/rootdisk #Format new disk: fmthard –s /var/tmp/rootdisk /dev/rdsk/c1t0d1s2 #Now create the metadb on both drives: metadb –a –c 3 –f c1t0d0s7 c1t0d1s7 #Encapsulate partitions and put in mirror group *** Remember – DON’T mirror the metadb partition *(slice 7)* *** metainit –f d11 1 1 c1t0d0s0 ; metainit –f d12 1 1 c1t0d1s0 metainit –f d21 1 1 c1t0d0s1 ; metainit –f d22 1 1 c1t0d1s1 metainit –f d51 1 1 ct10d0s4 ; metainit –f d52 1 1 ct10d1s4 metainit d20 –m d21 metainit d50 –m d51 metainit d10 –m d11 metaroot d10 (automatically updates /etc/system and /etc/vfstab with new devices using a metadevice as your root disk.) Edit /etc/vfstab and change the /var and /home mount lines to be: /dev/md/dsk/d20 /dev/md/rdsk/d20 /var ufs 1 no /dev/md/dsk/d50 /dev/md/rdsk/d50 /home ufs 1 no Then do: reboot metattach d10 d12 *(attaches second disk to mirror set) metattach d20 d22 metattach d50 d52 To check the status of the synchronizations: metastat Make the mirror disk bootable: installboot /usr/platform/`uname -i`/lib/fs/ufs/bootblk /dev/rdsk/c1t0d1s0 Determine the physical device path of the mirror disk: ls –l /dev/dsk/c1t0d1s0 The output will be something like this: ... /dev/dsk/c0t1d0s0 -> ../../devices/pci@1f,4000/scsi@3/sd@1,0:a Using the info obtained in the previous step, make a devalias for the mirror eeprom "nvramrc=devalias mirror /pci@1f,4000/scsi@3/disk@1,0" eeprom "use-nvramrc?=true" Add the mirror device alias to the Open Boot parameter boot-device to prepare the case of a problem with the primary boot device. # eeprom "boot-device=disk mirror cdrom net" Remember to add new swap partition to system # swap –a /dev/dsk/c1t0d1s3 And don’t forget to add the new swap partition to the /etc/vfstab file: /dev/dsk/c1t0d1s3 - - swap - no Security SSH Configuration edit /etc/ssh/sshd_config file put at end of file GatewayPorts no AllowTcpForwarding no KeepAlive yes Protocol 2 port 22 Password Configuration Check your Information Security Handbook for current guidelines for passwords. The default is 30 days before need to change password, but there are exceptions. Exceptions are granted to the 30 day change requirement on administrative accounts for any account that has one or more of the following mitigating controls: *Restriction of that account from being used to obtain direct remote access to the system*Requirement for the use of a two-factor authentication such as SecurID *Use of a complex password longer then 14 characters Generally there are three classifications of passwords: # Normal user accounts – Expiration 90 days #Service and System Accounts (i.e. never used by a user) – long complex passwords (15+ characters) must be changed once a year #User Accounts – expiration 30 days Edit the appropriate password aging controls in /etc/default/passwd. For example: MAXWEEKS 13 MINWEEKS 1 PASSLENGTH 7 WARNWEEKS 1 Solaris Security Kit #Download and install “Soalris Security Toolkit” (Current version is 4.2) from here #CD to /opt/SUNWjass/Drivers/ and edit the hardening.driver file (if doesn’t exist, there use example file in the same directory). #Insure the following lines are commented out (unless service will be needed): # disable-keyboard-abort.fin # disable-nfs-client.fin # disable-picld.fin # disable-rpc.fin # disable-sendmail.fin # enable-password-history.fin # print-rhosts.fin # set-user-password-reqs.fin # enable-bsm.fin # install-strong-permissions.fin # enable-bart.fin #To run the script: /opt/SUNWjass/bin/jass-execute -d secure.driver #To audit: jass -execute -a secure.driver #To uninstall: jass -execute –u #After running JASS _and before rebooting If you need to be able to SSH into the box while setting it up then in /etc/ssh/sshd_config look for a line PermitRootLogin no and change it to be PermitRootLogin yes. Be sure to set this back to no afterwards. #Make sure in /etc/hosts.allow there’s a line sshd: ALL #Reboot the system #NOTE: If any user accounts were created before this, it’ll force them to create a new password on next logon. To fix this for all users do passwd –u . Patching Two ways to do patching # Download PCA . Note - you will need a Sun account to get all the patches. For syntax run "pca –h". To have it install ALL applicable patches, run "pca –a –i missing" ("-a" asks for sun login / password, "-i" is install). If you only want to do security and recommended patches, do "pca –a –i missingrs". Other Post Install Tasks # If Oracle will be installed, insure following Solaris packages are installed: SUNWarc SUNWbtool SUNWhea SUNWlibm SUNWlibms SUNWsprot SUNWsprox SUNWtoo SUNWi1of SUNWxwfnt SUNWi1cs SUNWi15cs # Add user account for netalert if needed. Account “netalert”, group “admin”, complex (i.e. 15+ characters) password that doesn’t expire. You will need to later log into the site’s Netalert account and set it up for the site (i.e. to alert you, what to monitor, etc…) # Update Site Documentation Removal of Unnecessary Software and Auditing # To lock down services, run: svccfg apply /var/svc/profile/generic_limited_net.xml *NOTE*: re-enable SNMP if used: svcadm enable sma # Search for and uninstall unneeded packages, such as language packs and staroffice. For example, in a bash or korn shell do: for i in `pkginfo|egrep '(French|Japan|staroffice)'|awk '{print $2}'`;do yes | pkgrm $i done Install TOP & SUDO Download & install *TOP *& *SUDO *(and dependencies) from http://www.sunfreeware.com/ Install NX Download *FREE* version of http://www.nomachine.com NX client, node, and server. # install files (i.e. "pkgadd –d ") # add to root's crontab (i.e. "crontab –e") the following: 0 0 * * * cp /dev/null /usr /NX/etc/user.db 2>&1 /dev/null Configure Sendmail In /etc/mail , edit sendmail.cf and submit.cf to contain: Dj DS For example: Djhosting.BLAH.com DSsmtp-gateway.hosting.BLAH.com If external DNS doesn’t resolve your server’s name (i.e. you can lookup blah.edu but not server1.blah.edu) and you wish to receive mail from the server, then set the Dj in submit.cf like this: Djblah.edu Configure Sudo Add the admin group to sudoers. run */usr/sbin/visudo* and add: %admin ALL=(ALL) ALL Configure SNMP * The SMF service that SNMP runs from is SMA. * SMA is started by the script /lib/svc/method/svc-sma. * The SNA script uses /etc/sma/snmp/snmpd.conf. You will need to edit this. #Change the line: #DISABLE=YES to #DISABLE=NO #comment out rwcommunity line #change the rocommunity password to either the sitewide community password or to something other than public #restart SNMP: svcadm restart sma Configure NTP Edit /etc/inet/ntp.conf file to setup NTP server. Usually it’s the IP address of the default gateway. After configured, run "ntpdate" to update system time to current,Then do "svcadm enable ntp" to start ntp. Configure SAR * Make sure user SYS is in the /etc/cron.d/cron.allow file if exists * edit the crontab for user sys: crontab –e sys * add the following lines: 0,10,20,30,40,50 * * * * /usr/lib/sa/sa1 5 0 * * * /usr/lib/sa/sa2 -s 8:00 -e 00:05 -i 600 -A